Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Information Security and Employee Behaviour", Angus M

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Information Security and Employee Behaviour", Angus McIlwraith
Date: Thu, 15 Jun 2006 10:39:42 -0800 
BKISEMBE.RVW   20060520

"Information Security and Employee Behaviour", Angus McIlwraith, 2006,
0-566-08647-6, U$99.95
%A   Angus McIlwraith Angus.McIlwraith@btinternet.com
%C   Suite 420, 101 Cherry Street, Burlington, VT   05401-4405  USA
%D   2006
%G   0-566-08647-6
%I   Gower Publishing Limited
%O   U$99.95 www.gowerpub.com info@gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566086476/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0566086476/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566086476/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   169 p.
%T   "Information Security and Employee Behaviour"

In the introduction, McIlwraith points out that security awareness
training properly consists of communication, raising of issues, and
encouragement to modify behaviour.  (This will come as no surprise to
those who recall the definition of training as the modification of
attitudes and behaviour.)  He also notes that security professionals
frequently concentrate solely on presentation of problems.  The
remainder of the introduction looks at other major security
activities, and the part that awareness plays in ensuring that they
actually work.

Part one looks at a "framework for understanding."  Chapter one
addresses employee risk, and the fact that people assess risk very
poorly.  Issues such as whether the risk is controlled by the self or
another, problems that are diffuse or dispersed, and immediacy all
reduce our perception of the scale of the hazard.  Other psychological
reasons for poor decision-making are also examined.  (There is also
some explanation as to why security people get fixated on their field,
and often over-emphasize minor problems.)  This material definitely
provides an understanding of the problem for anyone involved in
security awareness, but unfortunately does not give equivalent
solutions.  The discussion of culture, in chapter two, describes a
number of diverse corporate styles, with suggestions for the type of
approach most likely to be effective in each.  The fact that security
professionals are frequently perceived as problem-creating, rather
than problem-solving, is hardly a surprise, and so neither is chapter
three.  However, it does outline various reasons for this perception,
which may give us insight into changes we could make.  (I'm finishing
off the security dictionary manuscript at the moment, and McIlwraith's
comments on the jargon we use in security are definitely cringe-
making.)

Part two moves into solutions.  Chapter four outlines practical
strategies and techniques.  The author lists five major points: manage
by facts and reality (rather than vague desires), have specific
objectives (instead of just "we need training"), plan carefully,
implement meticulously, and get real feedback on the results. 
Additional mechanisms for training success are discussed.  Realistic
assessment of the program (and the danger of simple metrics) is
reviewed in chapter five.  (I might take slight exception to
McIlwraith's recommendation on rating scales: any use of odd-numbered
scales tends to push responses into the middle.)  Design of the
delivery media for awareness materials is as important as the message,
and chapter six provides useful advice for those of us who are
stylistically challenged--which includes pretty much the entire
technically-oriented clan.

McIlwraith's message is important.  His writing is interesting and
clear.  His suggestions are useful.  His book is recommended for
anyone with either a specific obligation for awareness training, or
overall responsibility for security management.

copyright Robert M. Slade, 2006   BKISEMBE.RVW   20060520


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
So what we are generally trying to do is not really Risk
Assessment, but Risk Justification.  We don't want to reduce risk
so much as justify why we are allowing our assets to be so
exposed.                                                - Bill Royds
Dictionary Information Security     www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
Great things are happening at Yahoo! Groups.  See the new email design.
http://us.click.yahoo.com/TISQkA/hOaOAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Information Security and Employee Behaviour", Angus McIlwraith, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] CISSP Group in Budapest, Hungary, Haseeb Abdali
Next by Date:  [CISSP-D] Re: Sign off, Rob
Previous by Thread:  [CISSP-D] CISSP Group in Budapest, Hungary, Haseeb Abdali
Next by Thread:  [CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]